Skip to content

Comments

Create cleaner.yml#269

Closed
vib-adhoc wants to merge 1 commit into18.0from
18.0-update-purchase
Closed

Create cleaner.yml#269
vib-adhoc wants to merge 1 commit into18.0from
18.0-update-purchase

Conversation

@vib-adhoc
Copy link
Contributor

@vib-adhoc vib-adhoc commented Aug 18, 2025

Automatic update using copier template

@roboadhoc
Copy link

roboadhoc commented Aug 18, 2025

Pull request status dashboard

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2025
View reviewed changes
.github/workflows/cleaner.yml
Comment on lines +21 to +158
runs-on: ubuntu-latest
if: >
github.repository_owner == 'ingadhoc' &&
(
(github.event_name == 'workflow_dispatch') ||
(github.event_name == 'deployment_status' && github.event.deployment_status.state == 'success')
)
steps:
- name: Delete branch from base and fork repos
uses: actions/github-script@v6
id: pr_data_fetcher
with:
script: |
// Get PR information
core.info('Fetching PR data and validating conditions...');

// Debug info
const eventName = context.eventName;
core.info(`El nombre del evento es: ${eventName}`);
core.info(JSON.stringify(context, null, 2))
// End Debug info

let repoOwner = context.repo.owner;
let repoName = context.repo.repo;
let pullRequest;

if (context.eventName === 'workflow_dispatch' || context.eventName === 'deployment_status') {
let prNumber = 0;
if (context.eventName === 'workflow_dispatch') {
prNumber = context.payload.inputs.pull_request_number;
core.info(`Manual trigger for PR #${prNumber}`);
}

if (context.eventName === 'deployment_status') {
prNumber = context.payload.deployment_status.description.split("#")[1].split(" ")[0];
core.info(`deployment_status trigger for PR #${prNumber}`);
}

// Fetch the PR data using the number
pullRequest = (await github.rest.pulls.get({
owner: repoOwner,
repo: repoName,
pull_number: prNumber,
})).data;

core.info(JSON.stringify(pullRequest, null, 2))

if (pullRequest.merged === true) {
core.info(`PR #${prNumber} was merged. No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

// Fetch the PR timeline to find the 'closed' event
const timeline = await github.rest.issues.listEventsForTimeline({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
});

// Find the 'closed' event in the timeline
const closeEvent = timeline.data.find(event => event.event === 'closed');

// Get the user who closed the PR from the event
const closedByLogin = closeEvent && closeEvent.actor ? closeEvent.actor.login : null;

if (closedByLogin !== 'roboadhoc') {
core.info(`PR #${prNumber} was not closed by 'roboadhoc' (${closedByLogin}). No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

} else {
core.setOutput('validation_passed', 'false');
core.error(`Unsupported event type: ${context.eventName}`);
return;
}

// Set outputs for subsequent steps
core.setOutput('validation_passed', 'true');
core.setOutput('base_repo_owner', repoOwner);
core.setOutput('base_repo_name', repoName);
core.setOutput('base_branch_name', pullRequest.head.ref);
core.setOutput('head_repo_full_name', pullRequest.head.repo.full_name);
core.setOutput('head_repo_owner', pullRequest.head.repo.owner.login);
core.setOutput('head_repo_name', pullRequest.head.repo.name);
core.setOutput('is_fork', pullRequest.head.repo.full_name !== context.repo.owner + '/' + context.repo.repo);

- name: Delete branch from the base repository
uses: actions/github-script@v6
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
with:
github-token: ${{ github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const baseRepoOwner = `${{ steps.pr_data_fetcher.outputs.base_repo_owner }}`;
const baseRepoName = `${{ steps.pr_data_fetcher.outputs.base_repo_name }}`;
try {
core.info(`Attempting to delete branch '${baseBranchName}' from base repo '${baseRepoOwner}/${baseRepoName}'`);
await github.rest.git.deleteRef({
owner: baseRepoOwner,
repo: baseRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from base repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in base repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from base repo: ${error.message}`);
}
}

- name: Delete branch from the fork repository (adhoc-dev)
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
uses: actions/github-script@v6
with:
github-token: ${{ secrets.EXTERNAL_REPO_TOKEN_CLEANER_ADHOC_DEV || github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const headRepoOwner = 'adhoc-dev';
const headRepoName = `${{ steps.pr_data_fetcher.outputs.head_repo_name }}`;

try {
core.info(`PR comes from a fork. Attempting to delete branch from fork repo '${headRepoOwner}/${headRepoName}'`);
await github.rest.git.deleteRef({
owner: headRepoOwner,
repo: headRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from fork repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in fork repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from fork repo: ${error.message}`);
}
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix the problem, you should add a permissions block to the workflow, either at the root level (to apply to all jobs) or at the job level (to apply only to the delete-branch job). The permissions should be set to the minimum required for the workflow to function. Since the workflow deletes branches, it needs contents: write permission to delete branches in the repository. If the workflow also interacts with pull requests or issues, you may need to add pull-requests: write or issues: write, but in this case, only branch deletion is performed, so contents: write is sufficient. The change should be made near the top of the file, after the name: block and before the on: block, or inside the delete-branch job definition.

Suggested changeset 1
.github/workflows/cleaner.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/cleaner.yml b/.github/workflows/cleaner.yml
--- a/.github/workflows/cleaner.yml
+++ b/.github/workflows/cleaner.yml
@@ -4,6 +4,9 @@
 
 name: Delete PR branch from fork and base repo
 
+permissions:
+  contents: write
+
 on:
 
   deployment_status:
EOF
@@ -4,6 +4,9 @@

name: Delete PR branch from fork and base repo

permissions:
contents: write

on:

deployment_status:
Copilot is powered by AI and may make mistakes. Always verify output.
@vib-adhoc vib-adhoc closed this Aug 18, 2025
@vib-adhoc vib-adhoc deleted the 18.0-update-purchase branch August 18, 2025 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vib-adhoc @roboadhoc